CVE-2020-8632: 
NixOS vulnerability analysis and mitigation

CVE-2020-8632 affects cloud-init through version 19.4, specifically in the rand_user_password function within cloudinit/config/cc_set_passwords.py. The vulnerability was discovered in January 2020 and publicly disclosed in February 2020. The issue affects cloud-init installations across multiple Linux distributions including Ubuntu, Red Hat Enterprise Linux, and Debian (NVD, Debian Security).

The vulnerability stems from the rand_user_password function having a default password length (pwlen) value of 9 characters, which was deemed insufficient for security purposes. The small default password length significantly reduced the entropy of generated passwords, making them more susceptible to brute force attacks. Analysis showed that the 9-character passwords only provided 52 bits of security, which was below the minimum recommended security level (Launchpad Bug).

The insufficient password length makes it easier for attackers to guess or crack randomly generated passwords, potentially leading to unauthorized system access. This is particularly concerning in cloud environments where cloud-init is commonly used for instance initialization and configuration (Red Hat Security).

The issue was fixed by increasing the default password length from 9 to 20 characters, raising the bits of security from 52 to 115. This change was implemented in cloud-init version 20.1. The fix was backported to various distributions through their respective security updates (GitHub PR, OpenSUSE Security).